CloudSoul
Resources · Blog · NIS2

NIS2 for Transport: Aviation, Rail, Maritime, and Road

NIS2 for transport sector: understand obligations for aviation, rail, maritime, and road operators under Annex I, Sector 2.

Daniel Grigorovich
Daniel Grigorovich
Founder · 6 May 2026 · 8 min read
NIS2
NIS2 for Transport: Aviation, Rail, Maritime, and Road

Who should read this: Transport Operators, Aviation Safety Officers, Rail Network Managers, Maritime Operators.

Transport infrastructure is the circulatory system of the European economy. Aviation, rail, maritime, and road networks move goods, passengers, and data across borders, enabling commerce, connectivity, and personal mobility. Disruption to any of these networks ripples across economies and daily life.

The NIS2 Directive recognises this criticality by designating transport as a critical sector in Annex I, Sector 2. The scope is comprehensive: it includes aviation service providers (airports, airlines, air traffic management), rail infrastructure managers and operators, maritime transport operators, and road transport operators managing critical infrastructure. For all of these entities, NIS2 imposes proportionate cybersecurity obligations reflecting the life-critical and economy-critical nature of transport systems.

Transport operators face unique cybersecurity challenges: their systems are often long-lived (an airport’s air traffic control system may operate for 20+ years), they depend on legacy hardware and software, they integrate operational technology (OT) with information technology (IT), and they depend on complex supply chains of equipment manufacturers, software vendors, and service providers. NIS2 requires that these challenges be managed proportionately whilst ensuring that cybersecurity risk does not compromise operational continuity or public safety.

This post unpacks NIS2 requirements for transport operators, clarifies the scope of Annex I, Sector 2, and provides practical guidance on proportionate compliance for this diverse and complex sector.

Defining the Transport Sector Under NIS2

Annex I, Sector 2 designates the transport sector as comprising:

  • Airports managing commercial air traffic.
  • Airlines and air navigation service providers.
  • Rail infrastructure managers and operators (managing railway networks, signalling systems, and operational control centres).
  • Maritime port operators and shipping operators providing maritime transport services.
  • Road operators managing critical road infrastructure (particularly major motorway operators).

The common thread is public functionality: these entities provide transport services essential to the economy and public life. An airport’s operations system, an airline’s flight management systems, rail signalling and traffic control, maritime navigation and port operations, and road traffic management systems are all designated.

Importantly, the designation focuses on the entity’s role in transport operations, not on possession of sensitive data alone. A cybersecurity firm may handle data about transport operators, but the firm is not itself an essential service provider unless it manages critical transport infrastructure. Conversely, an airport operator is designated regardless of whether it handles passenger data; its designation stems from its role in aviation operations.

Member States may set size thresholds or sector-specific criteria when implementing NIS2. For example, some Member States may designate only major airports (those handling above a certain passenger volume) or major motorways. Compliance officers should check their Member State’s implementation to confirm whether their entity falls within scope.

Operational Technology, Legacy Systems, and Security by Design

Transport systems present a distinctive cybersecurity challenge: they operate at the boundary between information technology (IT) and operational technology (OT). A rail signalling system is an OT system: it receives input from sensors, processes that input, and sends control signals to track switches and train brakes. Unlike an office IT system, a failure in signalling could result in train collision, injuries, or deaths. Cybersecurity is not merely a business issue; it is a safety-critical issue.

Many transport operators inherit legacy systems: air traffic control systems designed in the 1980s, signalling systems deployed 20+ years ago, and maritime navigation systems that predate modern cybersecurity practice. These systems cannot be easily patched; they cannot be taken offline for updates; and they may not support modern authentication or encryption.

NIS2 requires that entities implement “proportionate” technical and organisational measures (Article 21). For legacy systems, proportionality recognises the technical constraints. An operator cannot replace a safety-critical system overnight. Instead, proportionate controls might include:

  • Network segmentation and air-gapping: Isolating critical OT systems from general IT networks and the internet, reducing exposure to internet-borne threats.
  • Monitoring and intrusion detection: Even if modern cryptographic controls are not feasible, monitoring systems for anomalous behaviour and unusual commands can detect attacks.
  • Physical security: Controlling physical access to critical systems, preventing tampering.
  • Vendor management: Ensuring that third parties providing maintenance, updates, or remote access to systems operate under strict security protocols.
  • Incident response: Establishing procedures for rapid detection and containment of incidents affecting operational systems.

For new systems and modernisation projects, security-by-design is the expectation. When transport operators deploy new systems, they should incorporate security from the outset: secure authentication, encrypted communications, validated code, and resilience to failure.

Supply Chain Dependencies and Third-Party Risk

Transport operators depend on complex supply chains. Airlines rely on manufacturers like Boeing and Airbus; rail operators depend on signalling equipment manufacturers like Siemens and Alstom; maritime operators use navigation and control systems from vendors like Kongsberg Maritime; road operators depend on traffic management software from various providers.

These vendors are not themselves essential service providers (unless they happen to manage critical infrastructure). However, their products and services are critical to transport operations. A compromised firmware update from an equipment manufacturer can cascade through all their customers’ systems. A vulnerability in air traffic management software affects every airport using that software.

Article 22 requires that entities ensure their third-party suppliers implement proportionate cybersecurity measures. For transport operators, this means:

Vendor due diligence: Assess vendors’ cybersecurity practices before contracting. Does the vendor conduct security testing? Does it have a vulnerability disclosure programme? Does it have incident response procedures?

Contractual requirements: Establish clear cybersecurity expectations in contracts. Require vendors to implement secure software development practices, conduct security testing, and provide timely security updates.

Incident notification: Require vendors to notify the operator immediately upon discovering vulnerabilities or incidents affecting the operator’s systems.

Update and patch management: Establish procedures for deploying vendor updates promptly, with testing to ensure compatibility. For safety-critical systems, procedures must ensure that patches do not introduce new risks.

Supply chain visibility: Understand the supply chain dependencies. Does the vendor outsource development? Does it use third-party components? Are there single points of failure?

For transport operators, supply chain security is not merely a compliance exercise; it is essential to operational safety and continuity.

Board-Level Governance and Safety-Critical Cybersecurity

Transport operators are often regulated under safety frameworks (civil aviation authorities, rail safety regulators, maritime authorities) in addition to cybersecurity frameworks. These safety regulators view cybersecurity as a safety issue: a cybersecurity incident affecting a critical system is a potential safety incident.

Board-level governance under NIS2 (Article 21) must account for this dual regulatory reality. Directors and senior executives must understand:

  • Cybersecurity risk to operational continuity: Which systems are most critical? What is the impact of outages or compromise?
  • Safety implications: How could a cybersecurity incident affect public safety?
  • Investment needs: What cybersecurity investments are necessary to manage risk proportionately?
  • Incident response and escalation: How will the organisation detect and respond to incidents? How will escalation to safety regulators occur if incidents threaten safety?

For transport operators, the board’s cybersecurity focus should be on operational resilience and safety. Downtime is loss of revenue, but more importantly, it may affect public safety, stranded passengers, and critical goods transport.

Incident Response and Business Continuity

Article 23 requires that essential service providers (including transport operators) maintain incident response plans and report significant incidents to competent authorities within 24 hours.

For transport operators, incident response must account for operational urgency. An airport experiencing a disruption to air traffic control systems must restore operations rapidly; delaying to investigate may cascade to grounded flights, diverted aircraft, and economic disruption. Simultaneously, restoration must be done safely: bringing systems back online without confirming that the attack is contained could re-infect the network.

Proportionate incident response for transport should include:

Rapid response team: Dedicated personnel trained to respond immediately to incidents, with authority to take containment actions (disconnecting systems, reverting to manual operations).

Coordination with safety authorities: Clear procedures for notifying transport safety regulators (e.g., civil aviation authority, rail regulator) if incidents threaten safety.

Redundancy and recovery: Backup systems, alternate procedures, and tested recovery processes so that services can be restored quickly.

Forensic investigation: The ability to investigate incidents after they are contained, to determine root cause and prevent recurrence.

Documentation and transparency: Clear incident reporting to competent authorities, national CSIRTs, and (as appropriate) safety regulators.

Cross-Border Transport and Coordinated Response

Transport networks are inherently cross-border. An aviation incident affects multiple countries; a railway attack affecting major freight corridors affects multiple Member States; maritime transport connects distant ports. Significant incidents affecting transport often require coordinated response across Member States and, potentially, at the EU level.

Articles 14-16 of NIS2 establish coordination mechanisms (the Cooperation Group and EU-CyCLONe) for cross-border incident response. Transport operators should be aware that significant incidents may trigger notification not only to their national competent authority and CSIRT, but also to EU-level coordination bodies and peer transport operators.

This cross-border coordination serves several purposes: it enables intelligence sharing about threat actors and attack patterns, it facilitates rapid response by coordinating recovery efforts, and it ensures that transport continuity is maintained across the EU.

Key Takeaways

  • Transport (aviation, rail, maritime, road) is designated as critical infrastructure under NIS2. Scope includes commercial airports, airlines, air navigation services, rail operators, maritime operators, and major road operators.
  • Proportionality is essential for transport, given the prevalence of legacy systems. Controls should focus on network segmentation, monitoring, physical security, and effective third-party vendor management, recognising technical constraints of long-lived OT systems.
  • Board-level governance must address cybersecurity as a safety issue, not merely a business issue. Directors must understand critical systems, operational risks, safety implications, and investment needs.
  • Supply chain security is critical: transport operators depend on equipment manufacturers and software vendors whose vulnerabilities cascade through multiple operators. Vendor due diligence, contractual requirements, and incident notification procedures are essential.
  • Incident response must balance rapid recovery with safe containment. Transport operators must maintain redundancy, coordination procedures with safety regulators, and rapid response teams.
  • Cross-border incident coordination through national competent authorities and EU-level bodies (CSIRTs, Cooperation Group) ensures that significant incidents affecting multiple Member States are handled at appropriate levels.
Daniel Grigorovich

Daniel Grigorovich · Founder

I believe that no business should suffer from "compliance checklists" or navigating vague regulatory text. While I still stand by the principle that all software products should be reliable and secure, I want to give companies a way to overcome the challenges faced when implementing these requirements.

Related reading

More from the blog.

NIS2 in Germany: How the New BSI-Gesetz Transposes the EU Directive
NIS2 · 4 Jun 2026

NIS2 in Germany: How the New BSI-Gesetz Transposes the EU Directive

Germany transposed NIS2 through the NIS2UmsuCG of 5 December 2025, replacing the BSI-Gesetz in full. Scope, BSI authority, KRITIS rules, incident reporting, fines and what to do this quarter.
NIS2 in Belgium: How the Law of 26 April 2024 Transposes the EU Directive
NIS2 · 2 Jun 2026

NIS2 in Belgium: How the Law of 26 April 2024 Transposes the EU Directive

Belgium transposed NIS2 through the Law of 26 April 2024, designating the CCB, NCCN and sectoral regulators as the institutional pillars. What every essential and important entity needs to know after twenty months in force.
NIS2 in Luxembourg: How the Law of 5 May 2026 Transposes the EU Directive
NIS2 · 31 May 2026

NIS2 in Luxembourg: How the Law of 5 May 2026 Transposes the EU Directive

Luxembourg transposed NIS2 through the Law of 5 May 2026, designating ILR, HCPN and CIRCL as the institutional pillars. What every essential and important entity needs to know.